chore: [DevOps] bump the production-minor-patch group with 2 updates

[dependabot]

Bumps the production-minor-patch group with 2 updates: org.springframework:spring-framework-bom and org.openapitools:openapi-generator.

Updates org.springframework:spring-framework-bom from 6.2.18 to 6.2.19

Release notes

Sourced from org.springframework:spring-framework-bom's releases.

v6.2.19

⚠️ Security Fixes

This maintenance release fixes a high number of CVEs, you can learn more about this in the "Spring and Security In The Times Of AI" blog post. Here is the full list of 16 CVEs:

• CVE-2026-41838 "Spring Framework Predictable Session ID in WebSocket Module"
• CVE-2026-41839 "Spring Framework Escalation via Session Fixation in WebFlux"
• CVE-2026-41840 "Spring Framework Denial of Service via Multipart Requests in WebFlux"
• CVE-2026-41841 "Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux"
• CVE-2026-41842 "Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux"
• CVE-2026-41843 "Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux"
• CVE-2026-41844 "Spring Framework Open Redirect in Spring MVC and WebFlux"
• CVE-2026-41845 "Spring Framework Cross-site Scripting via JavaScriptUtils"
• CVE-2026-41846 "Spring Framework Cross-site Scripting via JSP Form Tags"
• CVE-2026-41848 "Spring Framework Denial of Service via AntPathMatcher"
• CVE-2026-41850 "Spring Framework Algorithmic Denial of Service via SpEL Expressions"
• CVE-2026-41851 "Spring Framework Denial of Service via Unbounded Cache in SpEL"
• CVE-2026-41852 "Spring Framework Arbitrary Method Invocation in SpEL Expressions"
• CVE-2026-41853 "Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux"
• CVE-2026-41854 "Spring Framework Server-Side Request Forgery via UriComponentsBuilder"
• CVE-2026-41855 "Spring Framework Unsafe Deserialization via Jackson JMS Converters"

⭐ New Features

• Improve path pattern matching #36886
• Eagerly compute exit descriptors for negative literals #36887
• Expose ClassLoader from DefaultDeserializer #36839
• Refine default view name resolution #36794
• Refine Jackson JMS converters #36792
• Improve ABNF rule checks in RfcUriParser #36788
• Detect custom deserialized NullValue instances in AbstractValueAdaptingCache #36728
• Warn against unsafe static resource locations in MVC and WebFlux #36693
• Consistent compatibility with Woodstox as an alternative to Xerces #36683

🐞 Bug Fixes

• Data is lost for joined DataBuffer in DataBufferUtils #36874
• CronExpression skips days on midnight DST gap #36873
• Concurrency issue against shared cookie field in CookieLocaleResolver#setLocaleContext #36870
• Server Sent Event does not support multi-line comments #36867
• Regression in 6.2.0+: ConfigurationClassParser incorrectly removes component-scanned bean when the same class is also registered under a different name via XML #36849
• Bean Background Bootstrap and Lazy Init #36847
• Fix JSP tag processing #36798
• Fix script processing capabilities #36796
• Parsing failure for MIME type with quoted parameter values #36734
• Circular dependency between supplier-created beans is silently ignored on startup #36732
• Non-deterministic "Body token not expected" in org.springframework.http.codec.multipart.PartGenerator #36722
• Regression on value class parameter handling #36720
• Cache collisions in CachingResourceResolver #36718
• Unexpected path element removal when resolving versioned resources #36699

... (truncated)

Commits

• 6214eae Release v6.2.19
• 76a36df Track operations during SpEL expression evaluation
• 3d47da9 Ensure getters have non-void return types in SpEL
• 519d733 Improve additional error messages in SpEL
• ec89834 Further improve pattern caching in SpEL
• b294371 Avoid too many character access attempts in AntPathMatcher
• 1829b42 Ensure consistent JSP tag attribute processing
• 86d9979 Refine JavaScriptUtils#javaScriptEscape
• 3aaec98 Prevent special prefixes in default view name resolution
• ee4e790 Add trusted packages to MappingJackson2MessageConverter
• Additional commits viewable in compare view

Updates org.openapitools:openapi-generator from 7.22.0 to 7.23.0

Release notes

Sourced from org.openapitools:openapi-generator's releases.

v7.23.0 released

v7.23.0 stable release (breaking changes with fallbacks) comes with 170+ enhancements and bug fixes.

This release comes with 2 breaking changes (with fallback):

• [jaxrs-spec][quarkus] Emit @​RolesAllowed({"**"}) for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes and rename "useQuarkusSecurityAnnotations" to "useJakartaSecurityAnnotations" (Breaking change (with fallback)) #23680
• fix(Kotlin): use the global apiNamePrefix and apiNameSuffix settings instead of apiSuffix (generator's option) (Breaking change (with fallback)) #23926

Below are the highlights of the changes. For a full list of changes, please refer to the "Pull Request" tab.

General

• Normalizer: new rule LOOSE_NULL_DEFINITIONS to allow more null definitions in 3.0 spec. #23932
• fix(InlineModelResolver): prevent numbered duplicate models from multi-file OAS 3.1 specs #23856
• fix(core): normalize OAS 3.1 content media schemas #23851
• [GRADLE-WRAPPER] feat: add configurable worker isolation and max heap size for code generation #23648 by
• [GRADLE-WRAPPER] bug fix - pass maven java_home to gradle correctly #23646
• Add security schemes filter normalizer option #23174

C#

• [csharp][generichost] Deserialize present-but-null nullable enums #23912
• [csharp] Fix HTTP signature auth failure on .NET 8 when query params contain special characters #23714
• [csharp][restsharp] add throwOnAnyError option to surface client errors #23663
• Fix/csharp reserved headers and file parameter not serialising correctly #23593
• [csharp] Extend HostConfiguration with additional AddApiHttpClients signatures #22500

Dart

• feat(dart): make requests abortable #23930
• [Dart] Preserve uppercase names with trailing digits #23894
• [BUG][DART] fix nullable nested array item handling #23365

Go

• fix(go): avoid duplicate unknown enum defaults #23909
• [go] support io.Reader and []byte response types in client decode #23789

Java

• [Java][restclient] Build XmlMapper via builder when useJackson3=true #23872
• [Java] [vertx] Allow PoolOptions configuration when vertx 5 #23829
• feat(java/jersey3): add jackson 3 support #23819
• feat(java/jersey3): Update jakarta annotation and validation libs #23810
• [JAVA-SPRING] spring http interface library should support 'useBeanValidation' #23803
• [jaxrs-spec][quarkus] Emit @​PermitAll for unauthenticated operations (op/global empty security, anonymous OR alternative, no security defined) #23782
• [JavaJaxRS] [CXF] Add Support for Jackson3 #23767
• [jaxrs-spec][quarkus] Emit @​RolesAllowed({scope}) for OAuth2 and OpenID Connect operations with explicit scopes #23752
• [jaxrs-spec][quarkus] - Add CLI flag (useQuarkusSecurityAnnotations) to enable emitting security annotation (@​Authenticated, @​RolesAllowed, @​PermitAll) #23699
• [JAVA-SPRING;KOTLIN-SPRING] feature - add support for 'substituteGenericPagedModel' also for 'spring-cloud' libraries #23690
• [jaxrs-spec][quarkus] Emit @​RolesAllowed({"**"}) for HTTP Basic, Bearer, api-key and OAuth2 or OpenID with empty scopes and rename "useQuarkusSecurityAnnotations" to "useJakartaSecurityAnnotations" (Breaking change (with fallback)) #23680
• [jaxrs-spec][quarkus]: Emit @​ResponseStatus annotation for 2XX success codes #23673
• [Java] [vertx] Make supportVertxFuture compatible with vertx 5 #23660
• Fix Jspecify nullable issue with spring boot 4 #23649
• [java][spring] fix: disableDiscriminatorJsonIgnoreProperties not working #23640
• [java] Support 'time-local' format #23555

... (truncated)

Commits

• b9d967a v7.23.0 release (#23970)
• 153d80f update C# samples
• 5e44ee2 [csharp] Extend HostConfiguration with additional AddApiHttpClients signature...
• 3aa0504 update kotlin-spring samples
• 71e1fef fix(kotlin-spring): preserve 'default' response code in postProcessOperations...
• 417840c [csharp][generichost] Deserialize present-but-null nullable enums (#23912)
• da8c31c fix(dart): Optional<T> fromJson wrapping (#23811)
• 3272a73 update scala samples
• 170778a fix(InlineModelResolver): prevent numbered duplicate models from multi-file O...
• 17a4d96 fix: add missing swagger2 tags import in rest-assured api.mustache (#23285) (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions